Given the nature of software development and software developers, especially given American companies decide to value shareholder profits over programmer productivity, this might as well be effectively "You don't need to get vaccines, simply don't get sick from other people."
Things like this are suppose to be provenance of an organizations security engineering teams. Helping to ensure you don't ship something like this. It's also hard for them too because no one wants to force developers to re-implement already solved functionality.
> never met a security engineer that was eager to do that
Of course not. We do the fun parts, and write tickets to make the dev team do the boring parts that we will later complain are not implemented to the quality standard we would have reached, had we done the work. That's the deal.
Late to reply, but yeah no one is eager to do it. Unfortunately being good at security means being really good at work that is boring, tedious, and not glamorous, which also measures poorly into OKRs and other facets of shipping culture. Unless the team has really strong leadership that can get the security engineer ladders divested from the SWE/SRE ladders.
I literally just finished up writing up something that does supply chain provenance checking across 9 languages and still have a lot of edge cases to handle. It's not fun, but it's honest work.
I believe he might be a distant cousin. I've done some family tree searching myself and haven't found many things, since the Rainbolt side has mostly been scoundrels and vagabonds there aren't many details, but we do have a mountain that we named after ourselves after we stole it from natives.
